* [PATCH BlueZ v1 0/1] Fix heap-use-after-free in setup_free()
@ 2025-12-23 13:51 Sarveshwar Bajaj
2025-12-23 13:51 ` [PATCH BlueZ v1 1/1] profiles/audio/bap.c: " Sarveshwar Bajaj
0 siblings, 1 reply; 7+ messages in thread
From: Sarveshwar Bajaj @ 2025-12-23 13:51 UTC (permalink / raw)
To: linux-bluetooth
Cc: luiz.dentz, vinit.mehta, sarveshwar.bajaj, mahesh.talewad,
devyani.godbole
Hi Maintainers,
In the current implementation, each broadcast setup maintains a
pointer to its associated BIS stream. During teardown, detach
procedure frees BIS streams when removing or disconnecting a
broadcast session. However, later in teardown sequence,setup_free()
assumes that stream is still valid and attempts to unlock and release
it, leading to a use-after-free.
This issue is fixed by skipping unlock/release in setup_free() and
clearing setup->stream to prevent further access to a freed object.
This ensures proper cleanup without triggering UAF. The fix was
tested under ASan with repeated disconnect/remove cycles involving
multiple BIS streams.
Sarveshwar Bajaj (1):
profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
profiles/audio/bap.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--
2.48.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
2025-12-23 13:51 [PATCH BlueZ v1 0/1] Fix heap-use-after-free in setup_free() Sarveshwar Bajaj
@ 2025-12-23 13:51 ` Sarveshwar Bajaj
2025-12-23 14:22 ` Pauli Virtanen
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Sarveshwar Bajaj @ 2025-12-23 13:51 UTC (permalink / raw)
To: linux-bluetooth
Cc: luiz.dentz, vinit.mehta, sarveshwar.bajaj, mahesh.talewad,
devyani.godbole
Fix crash when removing or disconnecting a device with active broadcast
streams. AddressSanitizer reports a heap-use-after-free in
bt_bap_stream_get_state() called from release_stream() during
setup_free().
Detach frees BIS streams during teardown, but setup_free() still
unlocks and releases setup->stream afterwards, leaving a stale pointer
and triggering UAF. This can happen with multiple BIS streams since
each setup holds its own invalid reference.
Fix by skipping unlock/release in setup_free() and clearing
setup->stream to prevent further access.
Log:
ERROR: AddressSanitizer: heap-use-after-free on address
0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp 0x7ffcdef9b860
READ of size 8 at 0x7c43a43e3458 thread T0
#0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
#1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
#2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
#3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
#4 0x572415a29440 in queue_destroy src/shared/queue.c:60
#5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
#6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
#7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
#8 0x5724159a7eb9 in service_remove src/service.c:239
#9 0x5724159cfa49 in device_remove src/device.c:5489
#10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
#11 0x5724159b99c7 in device_disappeared src/device.c:3854
#12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
#13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
#14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
#15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
#16 0x7f63a58f9156 in g_main_loop_run
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
#17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
#18 0x572415abd9c4 in mainloop_run_with_signal
src/shared/mainloop-notify.c:196
#19 0x5724159ea378 in main src/main.c:1550
#20 0x7f63a562a577 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
#22 0x57241587d464 in _start
(/home/workspace/bluez/src/bluetoothd+0x106464)
0x7c43a43e3458 is located 120 bytes inside of 160-byte region
[0x7c43a43e33e0,0x7c43a43e3480)
freed by thread T0 here:
#0 0x7f63a5b212ab in free
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
#2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
---
profiles/audio/bap.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index cda10a643..f30262987 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1113,12 +1113,7 @@ static void setup_free(void *data)
if (setup->destroy)
setup->destroy(setup);
- bt_bap_stream_unlock(setup->stream);
-
- if (!closing) {
- /* Release if not already done */
- release_stream(setup->stream);
- }
+ setup->stream = NULL;
if (setup->ep)
bap_update_cigs(setup->ep->data);
--
2.48.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
2025-12-23 13:51 ` [PATCH BlueZ v1 1/1] profiles/audio/bap.c: " Sarveshwar Bajaj
@ 2025-12-23 14:22 ` Pauli Virtanen
2025-12-23 14:40 ` Pauli Virtanen
2025-12-23 14:40 ` Luiz Augusto von Dentz
2025-12-23 14:47 ` bluez.test.bot
2 siblings, 1 reply; 7+ messages in thread
From: Pauli Virtanen @ 2025-12-23 14:22 UTC (permalink / raw)
To: Sarveshwar Bajaj, linux-bluetooth
Cc: luiz.dentz, vinit.mehta, mahesh.talewad, devyani.godbole
Hi,
ti, 2025-12-23 kello 19:21 +0530, Sarveshwar Bajaj kirjoitti:
> Fix crash when removing or disconnecting a device with active broadcast
> streams. AddressSanitizer reports a heap-use-after-free in
> bt_bap_stream_get_state() called from release_stream() during
> setup_free().
>
> Detach frees BIS streams during teardown, but setup_free() still
> unlocks and releases setup->stream afterwards, leaving a stale pointer
> and triggering UAF. This can happen with multiple BIS streams since
> each setup holds its own invalid reference.
>
> Fix by skipping unlock/release in setup_free() and clearing
> setup->stream to prevent further access.
>
> Log:
> ERROR: AddressSanitizer: heap-use-after-free on address
> 0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp 0x7ffcdef9b860
> READ of size 8 at 0x7c43a43e3458 thread T0
> #0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
> #1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
> #2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
> #3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
> #4 0x572415a29440 in queue_destroy src/shared/queue.c:60
> #5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
> #6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
> #7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
> #8 0x5724159a7eb9 in service_remove src/service.c:239
> #9 0x5724159cfa49 in device_remove src/device.c:5489
> #10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
> #11 0x5724159b99c7 in device_disappeared src/device.c:3854
> #12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
> #13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
> #14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
> #15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
> #16 0x7f63a58f9156 in g_main_loop_run
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
> #17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
> #18 0x572415abd9c4 in mainloop_run_with_signal
> src/shared/mainloop-notify.c:196
> #19 0x5724159ea378 in main src/main.c:1550
> #20 0x7f63a562a577 in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
> #21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
> #22 0x57241587d464 in _start
> (/home/workspace/bluez/src/bluetoothd+0x106464)
> 0x7c43a43e3458 is located 120 bytes inside of 160-byte region
> [0x7c43a43e33e0,0x7c43a43e3480)
> freed by thread T0 here:
> #0 0x7f63a5b212ab in free
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
> #1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
> #2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
> ---
> profiles/audio/bap.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
> index cda10a643..f30262987 100644
> --- a/profiles/audio/bap.c
> +++ b/profiles/audio/bap.c
> @@ -1113,12 +1113,7 @@ static void setup_free(void *data)
> if (setup->destroy)
> setup->destroy(setup);
>
> - bt_bap_stream_unlock(setup->stream);
> -
> - if (!closing) {
> - /* Release if not already done */
> - release_stream(setup->stream);
> - }
> + setup->stream = NULL;
This breaks various aspects of unicast, so it doesn't look correct.
Possibly, the problem is that state transition to IDLE is not correctly
emitted from src/shared/bap.c for BIS when it is detached.
Or, setup->stream should be set to NULL at the point where it is
invalidated.
>
> if (setup->ep)
> bap_update_cigs(setup->ep->data);
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
2025-12-23 14:22 ` Pauli Virtanen
@ 2025-12-23 14:40 ` Pauli Virtanen
0 siblings, 0 replies; 7+ messages in thread
From: Pauli Virtanen @ 2025-12-23 14:40 UTC (permalink / raw)
To: Sarveshwar Bajaj, linux-bluetooth
Cc: luiz.dentz, vinit.mehta, mahesh.talewad, devyani.godbole
ti, 2025-12-23 kello 16:22 +0200, Pauli Virtanen kirjoitti:
> Hi,
>
> ti, 2025-12-23 kello 19:21 +0530, Sarveshwar Bajaj kirjoitti:
> > Fix crash when removing or disconnecting a device with active broadcast
> > streams. AddressSanitizer reports a heap-use-after-free in
> > bt_bap_stream_get_state() called from release_stream() during
> > setup_free().
> >
> > Detach frees BIS streams during teardown, but setup_free() still
> > unlocks and releases setup->stream afterwards, leaving a stale pointer
> > and triggering UAF. This can happen with multiple BIS streams since
> > each setup holds its own invalid reference.
> >
> > Fix by skipping unlock/release in setup_free() and clearing
> > setup->stream to prevent further access.
> >
> > Log:
> > ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp 0x7ffcdef9b860
> > READ of size 8 at 0x7c43a43e3458 thread T0
> > #0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
> > #1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
> > #2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
> > #3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
> > #4 0x572415a29440 in queue_destroy src/shared/queue.c:60
> > #5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
> > #6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
> > #7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
> > #8 0x5724159a7eb9 in service_remove src/service.c:239
> > #9 0x5724159cfa49 in device_remove src/device.c:5489
> > #10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
> > #11 0x5724159b99c7 in device_disappeared src/device.c:3854
> > #12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
> > #13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
> > #14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
> > #15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
> > #16 0x7f63a58f9156 in g_main_loop_run
> > (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
> > #17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
> > #18 0x572415abd9c4 in mainloop_run_with_signal
> > src/shared/mainloop-notify.c:196
> > #19 0x5724159ea378 in main src/main.c:1550
> > #20 0x7f63a562a577 in __libc_start_call_main
> > ../sysdeps/nptl/libc_start_call_main.h:58
> > #21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
> > #22 0x57241587d464 in _start
> > (/home/workspace/bluez/src/bluetoothd+0x106464)
> > 0x7c43a43e3458 is located 120 bytes inside of 160-byte region
> > [0x7c43a43e33e0,0x7c43a43e3480)
> > freed by thread T0 here:
> > #0 0x7f63a5b212ab in free
> > ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
> > #1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
> > #2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
> > ---
> > profiles/audio/bap.c | 7 +------
> > 1 file changed, 1 insertion(+), 6 deletions(-)
> >
> > diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
> > index cda10a643..f30262987 100644
> > --- a/profiles/audio/bap.c
> > +++ b/profiles/audio/bap.c
> > @@ -1113,12 +1113,7 @@ static void setup_free(void *data)
> > if (setup->destroy)
> > setup->destroy(setup);
> >
> > - bt_bap_stream_unlock(setup->stream);
> > -
> > - if (!closing) {
> > - /* Release if not already done */
> > - release_stream(setup->stream);
> > - }
> > + setup->stream = NULL;
>
> This breaks various aspects of unicast, so it doesn't look correct.
>
> Possibly, the problem is that state transition to IDLE is not correctly
> emitted from src/shared/bap.c for BIS when it is detached.
>
> Or, setup->stream should be set to NULL at the point where it is
> invalidated.
Looks setups are not removed from data->bcast_snk when they are freed,
so probably something like the following fixes it:
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index cda10a643..b6eb91ab3 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -174,6 +174,8 @@ static void setup_free(void *data);
static void bap_data_free(struct bap_data *data)
{
+ struct queue *bcast_snks = data->bcast_snks;
+
if (data->listen_io) {
g_io_channel_shutdown(data->listen_io, TRUE, NULL);
g_io_channel_unref(data->listen_io);
@@ -189,7 +191,9 @@ static void bap_data_free(struct bap_data *data)
queue_destroy(data->srcs, ep_unregister);
queue_destroy(data->bcast, ep_unregister);
queue_destroy(data->server_streams, NULL);
- queue_destroy(data->bcast_snks, setup_free);
+ data->bcast_snks = NULL;
+ queue_destroy(bcast_snks, setup_free);
+
bt_bap_ready_unregister(data->bap, data->ready_id);
bt_bap_state_unregister(data->bap, data->state_id);
bt_bap_pac_unregister(data->bap, data->pac_id);
@@ -1104,6 +1108,9 @@ static void setup_free(void *data)
if (setup->ep)
queue_remove(setup->ep->setups, setup);
+ if (setup->data)
+ queue_remove(setup->data->bcast_snks, setup);
+
setup_io_close(setup, NULL);
util_iov_free(setup->caps, 1);
--
Pauli Virtanen
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
2025-12-23 13:51 ` [PATCH BlueZ v1 1/1] profiles/audio/bap.c: " Sarveshwar Bajaj
2025-12-23 14:22 ` Pauli Virtanen
@ 2025-12-23 14:40 ` Luiz Augusto von Dentz
2025-12-24 18:05 ` [EXT] " Sarveshwar Bajaj
2025-12-23 14:47 ` bluez.test.bot
2 siblings, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2025-12-23 14:40 UTC (permalink / raw)
To: Sarveshwar Bajaj
Cc: linux-bluetooth, vinit.mehta, mahesh.talewad, devyani.godbole
Hi Sarveshwar,
On Tue, Dec 23, 2025 at 8:52 AM Sarveshwar Bajaj
<sarveshwar.bajaj@nxp.com> wrote:
>
> Fix crash when removing or disconnecting a device with active broadcast
> streams. AddressSanitizer reports a heap-use-after-free in
> bt_bap_stream_get_state() called from release_stream() during
> setup_free().
>
> Detach frees BIS streams during teardown, but setup_free() still
> unlocks and releases setup->stream afterwards, leaving a stale pointer
> and triggering UAF. This can happen with multiple BIS streams since
> each setup holds its own invalid reference.
>
> Fix by skipping unlock/release in setup_free() and clearing
> setup->stream to prevent further access.
>
> Log:
> ERROR: AddressSanitizer: heap-use-after-free on address
> 0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp 0x7ffcdef9b860
> READ of size 8 at 0x7c43a43e3458 thread T0
> #0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
> #1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
> #2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
> #3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
> #4 0x572415a29440 in queue_destroy src/shared/queue.c:60
> #5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
> #6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
> #7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
> #8 0x5724159a7eb9 in service_remove src/service.c:239
> #9 0x5724159cfa49 in device_remove src/device.c:5489
> #10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
> #11 0x5724159b99c7 in device_disappeared src/device.c:3854
Hmm, I thought we fix the device being temporary with broadcast, if
there is a broadcast stream then the device shall be marked as
connected so it wouldn't trigger the sequence above. Perhaps you
encounter this with an old version? Or maybe it is the kernel that is
old.
> #12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
> #13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
> #14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
> #15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
> #16 0x7f63a58f9156 in g_main_loop_run
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
> #17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
> #18 0x572415abd9c4 in mainloop_run_with_signal
> src/shared/mainloop-notify.c:196
> #19 0x5724159ea378 in main src/main.c:1550
> #20 0x7f63a562a577 in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
> #21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
> #22 0x57241587d464 in _start
> (/home/workspace/bluez/src/bluetoothd+0x106464)
> 0x7c43a43e3458 is located 120 bytes inside of 160-byte region
> [0x7c43a43e33e0,0x7c43a43e3480)
> freed by thread T0 here:
> #0 0x7f63a5b212ab in free
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
> #1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
> #2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
> ---
> profiles/audio/bap.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
> index cda10a643..f30262987 100644
> --- a/profiles/audio/bap.c
> +++ b/profiles/audio/bap.c
> @@ -1113,12 +1113,7 @@ static void setup_free(void *data)
> if (setup->destroy)
> setup->destroy(setup);
>
> - bt_bap_stream_unlock(setup->stream);
> -
> - if (!closing) {
> - /* Release if not already done */
> - release_stream(setup->stream);
> - }
> + setup->stream = NULL;
>
> if (setup->ep)
> bap_update_cigs(setup->ep->data);
> --
> 2.48.1
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Fix heap-use-after-free in setup_free()
2025-12-23 13:51 ` [PATCH BlueZ v1 1/1] profiles/audio/bap.c: " Sarveshwar Bajaj
2025-12-23 14:22 ` Pauli Virtanen
2025-12-23 14:40 ` Luiz Augusto von Dentz
@ 2025-12-23 14:47 ` bluez.test.bot
2 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2025-12-23 14:47 UTC (permalink / raw)
To: linux-bluetooth, sarveshwar.bajaj
[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1036073
---Test result---
Test Summary:
CheckPatch PENDING 0.32 seconds
GitLint PENDING 0.32 seconds
BuildEll PASS 20.30 seconds
BluezMake PASS 647.14 seconds
MakeCheck PASS 22.21 seconds
MakeDistcheck PASS 246.80 seconds
CheckValgrind PASS 304.05 seconds
CheckSmatch PASS 353.96 seconds
bluezmakeextell PASS 183.80 seconds
IncrementalBuild PENDING 0.26 seconds
ScanBuild PASS 1055.46 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [EXT] Re: [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
2025-12-23 14:40 ` Luiz Augusto von Dentz
@ 2025-12-24 18:05 ` Sarveshwar Bajaj
0 siblings, 0 replies; 7+ messages in thread
From: Sarveshwar Bajaj @ 2025-12-24 18:05 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: linux-bluetooth@vger.kernel.org, Vinit Mehta, Mahesh Talewad,
Devyani Godbole
Hi Luiz,
I ran test using Bluez ToT master branch(commit#05813df5e) with kernel version 6.18.2
Has this issue been resolved in the latest kernel series (6.19)? If so, could you provide details on the likely fix?
-----Original Message-----
From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Sent: 23 December 2025 20:11
To: Sarveshwar Bajaj <sarveshwar.bajaj@nxp.com>
Cc: linux-bluetooth@vger.kernel.org; Vinit Mehta <vinit.mehta@nxp.com>; Mahesh Talewad <mahesh.talewad@nxp.com>; Devyani Godbole <devyani.godbole@nxp.com>
Subject: [EXT] Re: [PATCH BlueZ v1 1/1] profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button
Hi Sarveshwar,
On Tue, Dec 23, 2025 at 8:52 AM Sarveshwar Bajaj <sarveshwar.bajaj@nxp.com> wrote:
>
> Fix crash when removing or disconnecting a device with active
> broadcast streams. AddressSanitizer reports a heap-use-after-free in
> bt_bap_stream_get_state() called from release_stream() during
> setup_free().
>
> Detach frees BIS streams during teardown, but setup_free() still
> unlocks and releases setup->stream afterwards, leaving a stale pointer
> and triggering UAF. This can happen with multiple BIS streams since
> each setup holds its own invalid reference.
>
> Fix by skipping unlock/release in setup_free() and clearing
> setup->stream to prevent further access.
>
> Log:
> ERROR: AddressSanitizer: heap-use-after-free on address
> 0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp
> 0x7ffcdef9b860 READ of size 8 at 0x7c43a43e3458 thread T0
> #0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
> #1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
> #2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
> #3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
> #4 0x572415a29440 in queue_destroy src/shared/queue.c:60
> #5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
> #6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
> #7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
> #8 0x5724159a7eb9 in service_remove src/service.c:239
> #9 0x5724159cfa49 in device_remove src/device.c:5489
> #10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
> #11 0x5724159b99c7 in device_disappeared src/device.c:3854
Hmm, I thought we fix the device being temporary with broadcast, if there is a broadcast stream then the device shall be marked as connected so it wouldn't trigger the sequence above. Perhaps you encounter this with an old version? Or maybe it is the kernel that is old.
> #12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
> #13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
> #14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
> #15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
> #16 0x7f63a58f9156 in g_main_loop_run
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
> #17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
> #18 0x572415abd9c4 in mainloop_run_with_signal
> src/shared/mainloop-notify.c:196
> #19 0x5724159ea378 in main src/main.c:1550
> #20 0x7f63a562a577 in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
> #21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
> #22 0x57241587d464 in _start
> (/home/workspace/bluez/src/bluetoothd+0x106464)
> 0x7c43a43e3458 is located 120 bytes inside of 160-byte region
> [0x7c43a43e33e0,0x7c43a43e3480)
> freed by thread T0 here:
> #0 0x7f63a5b212ab in free
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
> #1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
> #2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
> ---
> profiles/audio/bap.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index
> cda10a643..f30262987 100644
> --- a/profiles/audio/bap.c
> +++ b/profiles/audio/bap.c
> @@ -1113,12 +1113,7 @@ static void setup_free(void *data)
> if (setup->destroy)
> setup->destroy(setup);
>
> - bt_bap_stream_unlock(setup->stream);
> -
> - if (!closing) {
> - /* Release if not already done */
> - release_stream(setup->stream);
> - }
> + setup->stream = NULL;
>
> if (setup->ep)
> bap_update_cigs(setup->ep->data);
> --
> 2.48.1
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-12-24 18:05 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-23 13:51 [PATCH BlueZ v1 0/1] Fix heap-use-after-free in setup_free() Sarveshwar Bajaj
2025-12-23 13:51 ` [PATCH BlueZ v1 1/1] profiles/audio/bap.c: " Sarveshwar Bajaj
2025-12-23 14:22 ` Pauli Virtanen
2025-12-23 14:40 ` Pauli Virtanen
2025-12-23 14:40 ` Luiz Augusto von Dentz
2025-12-24 18:05 ` [EXT] " Sarveshwar Bajaj
2025-12-23 14:47 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).